Ivan Ristic wrote:
> Gerwin Krist -|- Digitalus Webhosting wrote:
>> Hmmm well I dunno exactly whats this customer is using. I figured out
>> that customer is using Jupload (http://jupload.biz/) .
>
> I think JUpload is wrong here, but I've contacted the developers
> to see if they are actually using that parameter for anything.
I just heard from the JUpload developers. They are not using
the header. They have also removed it from their application in
their most recent build.
> I will also consider whether accepting unknown header parameters
> is dangerous or not. Maybe I can relax mod_security checks. ModSecurity
> is strict to reduce the possibility of someone exploiting impedance
> mismatch in parsing.
I am still considering my options here. At the moment I am
leaning toward introducing a bunch of options to allow for
better control of the implicit checks. This would be nice to have
if someone encounters a similar problem in the future.
--
Ivan Ristic, Technical Director
Thinking Stone, http://www.thinkingstone.com
ModSecurity: Open source Web Application Firewall

Ivan Ristic <ivanr <at> webkreator.com> writes:
>
> I've replicated the same problem using the virtual() function from
> PHP. Perhaps you are not buffering output in your configuration?
>
> I've sent a fix to Jeff to try it out.
>
The fix worked perfectly. Many thanks to Ivan for his quick and completely
successful fix. In case anyone is experiencing this problem, this is the
solution, straight from Ivan...
Replace:
ap_add_output_filter_handle(global_sec_filter_out, NULL, r, r->connection);
with
ap_add_output_filter_handle(global_sec_filter_out, msr->ctx_out, r, r-
>connection);
in the mod_security.c file.
Thanks again.
.jeff.

Community

Help

Get latest updates about Open Source Projects, Conferences and News.

Sign up for the SourceForge newsletter:

I agree to receive quotes, newsletters and other information from sourceforge.net and its partners regarding IT services and products. I understand that I can withdraw my consent at any time. Please refer to our Privacy Policy or Contact Us for more details